Method and system for automatically preserving persistent storage

ABSTRACT

Computer-based methods and systems for automatically protecting a storage device from unwanted alterations are provided. Example embodiments provide a Disk Access Redirection System, which includes a Redirection Driver, an Available Space Table (“AST”), a Protected Space Redirection Table (“PSRT”), and optionally an Unprotected Space Table (“UST”). The Redirection Driver is installed and registered with the computer operating system so that it can intercept storage device access requests (such as a disk read/write). When a storage access request for a read or a write is sent, the request is intercepted by the Redirection Driver, transparent to the code that invokes the storage access request. Upon intercepting a write request, the Redirection Driver determines whether the target location is protected (using the PSRT and UST). If so, the Redirection Driver writes to a redirected data area, allocating more space to the redirected data area as needed. Upon intercepting a read request, the Redirection Driver determines whether to read data from the specified source location or whether to translate the request to read data from the redirected data area to which the source location has been previously redirected. The Redirection Driver uses the AST, PSRT, and optionally the UST, to allocate available storage space for redirected write requests, redirect write requests for protected areas of the storage device, and redirect read requests when the read request specifies a storage location that has been previously redirected. A Redirection Driver can be implemented to intercept storage access requests at different levels of storage access, including files, clusters, logical sectors, physical sectors, or at any defined data abstraction level. When the computer system is shut down, the redirected data area is discarded, thereby automatically reinstating the original state of the storage device when the computer is rebooted.

CROSS-REFERENCE TO RELATED APPLICATION

[0001] This application claims the benefit of U.S. Provisional PatentApplication No. 60/223,829 filed Aug. 8, 2000, which is incorporatedherein by reference in its entirety.

BACKGROUND OF THE INVENTION

[0002] 1. Field of the Invention

[0003] The present invention relates to a method and system forprotecting a computer system, and, in particular, to methods and systemsfor providing a storage redirection driver that protects the storagedevices of a computer system from alteration.

[0004] 2. Background

[0005] Often times it is desirable to insure that a computer workstationremains unaltered, even though it is being used by a multitude of usersin potentially varied and unknown ways. For example, in publicenvironments such as schools, libraries, and other community facilities,access to a group of computer systems is highly desired, for example, toconduct research, use common resources of a company, or to learn and trynew programs. Typically, these environments can be characterized ashaving “uncontrolled access,” because the moment by moment usage of thecomputer systems is not monitored.

[0006] In such situations, it is highly desirable to insure that userscan utilize the functionality of the computer system but not be allowedto “corrupt” the persistent storage of the system, so that follow-onusers will find the system in a pristine state. One mechanism forpreventing such corruption is to make a copy of the pristine state ofthe computer system desired and to restore the copy prior to shutdown ofthe system by each user. One difficulty with such an approach is that itis often difficult in operating system environments to capture thehardware on/off switch, and so, when a user cycles power without aproper operating system shutdown, the system is unable to successfullyrestore the pristine state.

[0007] Some systems have used special hardware cards to perform thecopying. For example, one such system copies the pristine state of thedisk storage device into a special disk partition before use access ispermitted. Data from the special disk partition is then copied back(restored) upon computer system shut down.

[0008] In database environments, other techniques have been used.Typically, for example, the database changes (in opposite order) are“undone” to the storage device to return it to a pristine state. Thistechnique also suffers from failure in the cycle power situation.

SUMMARY OF THE INVENTION

[0009] Embodiments of the present invention provide methods and systemsfor automatically preserving an original state of a computer system uponrebooting. Example embodiments provide a Disk Access Redirection System(the “DARS”) to allow all or portions of a storage device to beprotected from modification. The DARS can protect such storage devicesas disk drives, and other persistent and semi-persistent storagedevices. The DARS reads data from and writes data to a redirected dataarea (a redirected space) when a storage access request is received thatwould otherwise alter the state of an area of the storage device thathas been designated as protected. When the computer system is shut down,the redirected data area is discarded; thus, when the computer system isrebooted, the original state of the protected portions if the storagedevice are automatically restored, without the need to copy anyinformation from a backup area.

[0010] In one embodiment, the DARS comprises a Redirection Driver, andseveral redirection tables, including an Available Space Table (“AST”),a Protected Space Redirection Table (“PSRT”), and, when unprotectedareas can be designated, an Unprotected Space Table (“UST”). The ASTindicates available space of a storage device and is used to allocatespace as redirected space. The PSRT indicates the mappings of protectedlocations on the storage device to locations in the redirected space.The UST indicates unprotected locations of the storage device. In someembodiments, one or more entire storage devices can be designated asprotected. In other embodiments, portions of a storage device can bedesignated as protected and other portions designated as unprotected.The DARS differentiates between protected and unprotected storage areas,redirecting storage write requests to a redirected data area when astorage area has been designated as protected.

[0011] In one embodiment, the protection level for the DARS isconfigurable. For example, the protection level may be configured as allstorage is protected, portions of storage (at the device level or withina device) are protected, or no storage is protected. Variations of thesecombinations are also configurable.

[0012] In some embodiments, when a portion of storage is indicated asunprotected, it is written to directly by the appropriate storagedriver. In other embodiments, the Redirection Driver redirects storageaccess requests to unprotected areas, and integrates them into theunprotected portion of storage upon computer system shut down, or uponreboot.

[0013] In one embodiment, the Redirection Driver translates an originallocation in a storage access request to a redirected storage locationand forwards a revised storage access request to the storage driver toperform the storage access. In another embodiment, the RedirectionDriver performs the actual access itself.

[0014] In yet another embodiment, the Redirection Driver can redirectdata at different driver access levels. For example, the RedirectionDrive can direct data at a file level, a cluster level, a logical sectorlevel, or a physical sector level. Combinations of redirecting data atdifferent levels are also provided. In addition, a Redirection Driverthat operates using virtual clusters (or any data abstraction that canbe implemented as any size object for storing data) can be used with theDARS. In this embodiment, available space objects are provided thatimplement the mapping between virtual clusters and the actual size ofthe space in the redirected area. Virtual cluster embodiments provideextensibility across operating systems and different storage devices.

[0015] In one embodiment that supports a layered driver architecture,the Redirection Driver is inserted into a chain of native operatingsystem drivers and registered with the operating system. When a storageaccess request is made, the appropriate driver in the chain is invokedby the operating system. In this manner, the Redirection Driverintercepts storage access requests. In some such embodiments, the layerat which the Redirection Driver is inserted into the chain of drivers isbased upon the level of storage access being redirected.

[0016] In some embodiments, the DARS optionally performs functions uponcomputer system shutdown. In one such embodiment, the DARS optionallysaves the AST, PSRT, and UST tables so that the redirected data can berestored upon computer system reboot. In another embodiment, redirecteddata that corresponds to unprotected areas of storage is also saved.

[0017] In one embodiment, the DARS saves the AST and PSRT tables at adesired frequency to the hard disk, so that redirected data can berestored upon a system reboot.

BRIEF DESCRIPTION OF THE DRAWINGS

[0018]FIG. 1 is a graphic illustration of an example use of a DiskAccess Redirection System (DARS) in a library.

[0019]FIG. 2 is an example block diagram of disk access redirectionperformed by the Disk Access Redirection System.

[0020]FIG. 3 is a block diagram of the components of an exampleembodiment of a Disk Access Redirection System.

[0021]FIG. 4 is an overview flow diagram of the example operation of theDisk Access Redirection System to achieve storage preservation accordingto techniques of the present invention.

[0022]FIG. 5 is an example flow diagram of the steps performed by theDisk Access Redirection System when the Redirection Driver intercepts adisk access request.

[0023]FIG. 6 is an example block diagram of a general purpose computersystem for practicing preferred embodiments of the present invention.

[0024]FIG. 7 is an example block diagram of a typical layout of aphysical disk storage device in a computer system.

[0025]FIG. 8 is an example block diagram of a disk drive partitionedinto logical drives (partitions).

[0026]FIG. 9 is an example block diagram of a layered I/O driverarchitecture of a typical operating system with an inserted RedirectionDriver.

[0027]FIG. 10 is an example block diagram illustrating how the DiskAccess Redirection System tables are used by the Redirection Driver toredirect disk accesses.

[0028]FIG. 11 is an example block diagram of a disk drive with a FileAllocation Table arranged according to the FAT 16 architecture.

[0029]FIG. 12 is an example block diagram of a disk drive with a FileAllocation Table arranged according to the FAT 32 architecture.

[0030]FIG. 13 is an example block diagram of a disk drive arrangedaccording to the New Technology File System (“NTFS”) architecture.

[0031]FIG. 14 is an example flow diagram of the steps performed by theDisk Access Redirection System when the computer system boots up.

[0032]FIG. 15 is an example flow diagram of the steps performed by theDisk Access Redirection System when a new device is mounted by thecomputer system.

[0033]FIG. 16 is an example flow diagram of the steps performed by theRedirection Driver when a read request is intercepted.

[0034]FIG. 17 is an example flow diagram of the steps performed by theRedirection Driver when a write request is intercepted.

[0035]FIG. 18 is an example flow diagram of the steps performed by theRedirection Driver when a system shutdown request is intercepted.

DETAILED DESCRIPTION OF THE INVENTION

[0036] Embodiments of the present invention provide methods and systemsfor preserving an original state of a computer system upon rebooting.Common operating systems and application programs rely upon storing datato and retrieving data from persistent storage devices such as harddisks and other types of memory. Example embodiments of the presentinvention provide a Disk Access Redirection System (the “DARS”) to allowall or portions of such storage to be protected from modification. Usingthe DARS, operating systems, application programs, and other code readand write data on a computer system storage device in a way thatautomatically allows the original state of protected portions of thestorage device to be re-established when the computer system isrebooted. Specifically, the DARS evaluates storage access requests andautomatically directs or redirects the flow of information so that,transparent to the user, the original state of the protected storagedevice is maintained and the changes to protected portions of thestorage device are discarded when the computer system is rebooted. Inthis manner, security of the storage device is insured—even from a userwho powers off the machine using a power switch without properlyshutting down the system. Although primarily discussed below withreference to disk storage and access, especially hard disks, one skilledin the art will recognize that the techniques of the present inventionare also applicable to other types of persistent and semi-persistentstorage devices, including such devices as: CDROMS, Flash Memory, floppydisks, and other types of removable media storage devices.

[0037] The Disk Access Redirection System is useful in a multitude ofsituations, including those in which it is desirable to allow operators(users) of the computer system to actually use the system to produceuseful output, but where the risk of leaving the system in an inoperablestate is too high. For example, the DARS may be useful in a teachingsituation where it is highly desirable that the computer system isn'ttruly modified after each teaching session and is returned to itsinitial state before each session. Or, for example, the DARS could beused in a library where a variety of persons with different levels ofexperience may need to use computer systems to locate particular piecesof literature, perform database searches, or edit documents (publicaccess word processing, for example). In these situations, it is desiredthat the machine can be easily (and speedily) returned to some known,operable state.

[0038]FIG. 1 is a graphic illustration of an example use of a DiskAccess Redirection System (DARS) in a library. A librarian 101 operatesand maintains a computer system 103 for the benefit of various users102. The computer system 103 includes a storage device 104 (for example,a hard disk) with available space 108. The users 102 may want to use thecomputer system 103, for example, to access an online card catalog,access the Internet, or perhaps even to download and execute programs onthe computer system 103. Without the use of the DARS, the users 102 maystore files on the hard disk 104 that may quickly exhaust the availablespace 108 or may execute malicious code, for example, that installsviruses on the hard disk 104. The DARS allows the librarian 101 toeasily restore the original state of the disk, which preferably containssufficient available space 108 and does not contain malicious code, bysimply rebooting the system.

[0039] Specifically, the librarian 101 first installs and activates theDARS on the computer system 103. The DARS identifies space on the diskthat is to be protected, protected space 106, and space that isavailable, available space 108, (e.g., space currently unused by anyprograms). Optionally, if only a portion of the disk is to be protected,unprotected space 105 may also be identified. As needed, the DARSallocates available space 108 to a “redirected” space 107. When theusers 102 execute programs that request data to be written to theprotected space 106 on the disk, the DARS automatically intercepts thewrite request and redirects the write to memory in the redirected space107 on the disk. When the users 102 execute programs that request datato be read from the disk, the DARS intercepts the read request and,automatically determines from which location the read should beperformed. When the librarian 101 or one of the users 102 shuts down thecomputer system 103, data stored in the redirected space 107 isdiscarded, rendering any apparent changes to the protected space 106“lost” from the user's perspective and “ignored” from the system'sperspective; when the computer system 103 is rebooted, the protectedspace 106 is unchanged from the state it occupied prior to installationof the DARS. In one embodiment, the DARS supports the ability to protectsome but not all portions of the disk. In this case, when the computersystem 103 is rebooted, modifications written to the unprotected space105 remain.

[0040]FIG. 2 is an example block diagram of disk access redirectionperformed by the Disk Access Redirection System. In summary, the DARSoperates by intercepting disk access requests before the appropriatedevice driver handles the disk access requests. A disk access request201 is formed, for example, by an application program or an operatingsystem function, and includes indicators that identify the type ofrequest and the memory address to which the access is being requested.The DARS 202 intercepts the disk access request 201 before it is sent tothe appropriate disk driver 203. The disk driver 203 then reads from orwrites to the designated area on disk drive 204.

[0041] In a typical operating system, storage devices are accessed bydevice drivers that are organized according to a layered architecture.For example, in the Windows 9X or NT systems, developed by MicrosoftCorporation, application requests to access a file are passed to one ormore high level drivers, which process and eventually forward therequest into one or more requests to a low level driver thatcommunicates with a device using physical address indicators. The DARS202 can be implemented to intercept disk access requests at several ofthese levels. Which driver(s) is (are) intercepted by the DARS 202depends upon whether redirection is occurring on the file, cluster, orsector level, or according to some other logical drive division schemeimplemented by the computer system or by the DARS 202.

[0042] Once the request is intercepted, the DARS 202 evaluates the typeof the request and determines whether the requested original address ora redirected address should be accessed. The DARS 202 then forwards thedisk access request 201 with the original address or a redirectedaddress to the appropriate drivers 203. The disk drivers 203 then handlethe disk access request 201, accessing as indicated, the protected space206, the unprotected space 205, or the redirected space 207. One skilledin the art will recognize that in an alternative embodiment, the DARS202 may handle the disk access request itself rather than forwarding therequest to native operating system disk drivers. Other combinations,such as forwarding the request when the original address is used andhandling it otherwise, are also contemplated.

[0043]FIG. 3 is a block diagram of the components of an exampleembodiment of a Disk Access Redirection System. The example embodimentof a Disk Access Redirection System 301 comprises a Redirection Driver302, an Available Space Table (AST) 303, a Protected Space RedirectionTable (PSRT) 304, and, optionally, an Unprotected Space Table (UST) 305.One skilled in the art will recognize that the AST 303, PSRT 304, andUST 305 may be stored in any type of storage, including for example,volatile memory. The Redirection Driver 302 intercepts the disk accessrequest, determines whether or not the requested memory address is to beredirected, and forwards the disk access request to the next appropriateInput/Output (“I/O”) driver. (See, for example, FIG. 2.) The AST 303 isused by the DARS 301 to map available memory for use as the redirectedspace (e.g., available space 208 and redirected space 207 in FIG. 2).The PSRT 304 is used by the DARS 301 to manage the mappings of protectedspace to redirected space (e.g., protected space 206 in FIG. 2). The UST305 is used by the DARS 301 to map the unprotected space so that it iseither written to directly or redirected to space that is preservedacross boot sessions. The UST 305 is optional in that there may beimplementations where all storage space is either protected oravailable, and none of the storage space is allowed to be unprotected(alterable).

[0044]FIG. 4 is an overview flow diagram of the example operation of theDisk Access Redirection System to achieve storage preservation accordingto techniques of the present invention. In step 401, a user turns on thecomputer system. In step 402, the computer system loads the RedirectionDriver. For example, in a computer system running the Microsoft Windows9X Operating System, the redirection driver is stored in a specialfolder, for example the “windows\system\iosubsys” folder to beautomatically loaded when the operating system boots up. In addition,the driver indicates to the operating system at which location in thelayered architecture it desires to be installed. In another example, acomputer system running the Microsoft Windows NT or 2000 OperatingSystem, the redirection driver is registered with the operating systemduring an installation procedure. When the computer is booted, theredirection driver is loaded by the operating system. One skilled in theart will recognize that the specific steps necessary to install,register, initialize and/or load the redirection driver may varydepending on requirements of the operating system or other systemcomponents. These system dependent modifications are contemplated andare to be included within the scope of the invention.

[0045] In step 403, the computer system determines the desiredprotection level. For example, the computer system may allow a user, forexample, a system administrator or other operator, to access a passwordprotected user interface, through which the user specifies a desiredlevel of system protection. The user interface may be implemented, forexample, as a portion of the DARS redirection driver (which grabscontrol of the system right after it boots up) or as a separate part ofthe operating system installed as an initial start-up program. Exampleprotection levels may include no protection, partial protection, andfull protection. These protection levels correspond to the amount ofsecurity desired, where full protection insures no alteration of thepersistent storage devices. In step 404, the system examines thedetermined protection level, and if no protection is desired, the DARSis effectively terminated in that the Redirection Driver is notinitialized to intercept requests; otherwise, the system continues instep 405.

[0046] In step 405, if the DARS determines that the computer system isto be partially or fully protected, it registers the Redirection Driverto intercept disk access requests at the appropriate level as discussedwith reference to FIG. 2. For the purposes herein, “registered” impliesany actions (including none) that are required by a particular operatingsystem to make the Redirection Driver known to the operating system sothat the Redirection Driver can intercept access requests. In somecases, “registered” means that the Redirection Driver calls a particularoperating system function to become known. In other cases, such aswithin Windows 9X, the driver is automatically registered to interceptrequests at a location in the driver chain according to data stored inthe Redirection Driver file at bootup time provided the driver is storedin the “windows\system\iosubsys” directory. In systems running theWindows NT operating system, data stored in the operating systemregistry when the driver is installed is used to register the driver atthe correct level each time the system is booted.

[0047] In step 406, as disk access requests are received, theRedirection Driver intercepts the disk access requests. The stepsperformed by the DARS when the Redirection Driver intercepts disk accessrequests are discussed below in detail, with respect to FIG. 5.Typically, at some later point in time, in step 409, the computer systemshuts down. Optionally, steps 407 and 408 are performed before thecomputer system shuts down. In step 407 the Redirection Driverintercepts the system shutdown request. In step 408, based on thedetermined protection level, the DARS may either save modifications thatwere made or discard them.

[0048]FIG. 5 is an example flow diagram of the steps performed by theDisk Access Redirection System when the Redirection Driver intercepts adisk access request. As discussed above, with respect to FIG. 4, thecomputer system determines the protection level for the system. If noprotection level is desired, the Redirection Driver is not initialized(or registered to intercept access requests), so has no effect on diskaccesses. If at least partial protection of the computer system isdesired, then the Redirection Driver is registered at the appropriatelevel in the system, for each storage device to be protected, and thefollowing steps are performed when the Redirection Driver intercepts adisk access request.

[0049] Specifically, in step 501, the Redirection Driver determineswhether the access requested is for a read or a write. If the request isfor a read, the Redirection Driver continues in step 502, else, itcontinues in step 504. In step 502, the Redirection Driver determineswhether or not the read is being requested against memory in theprotected space (e.g., protected space 206 in FIG. 2). If the read isbeing requested against memory in the protected space (no alteration isallowed), the Redirection Driver continues in step 503, else itcontinues in step 508. In step 503, the Redirection Driver determineswhether or not the requested memory address in the protected spacealready has been redirected to redirected space (e.g., redirected space207), and, if so, continues in step 507, else continues in step 508. Instep 507, the Redirection Driver determines the redirected address. Instep 508, the Redirection Driver forwards the read request with theoriginal or redirected address as determined to the next appropriate I/Odriver.

[0050] When it is determined in step 501 that the requested disk accessis for a write, then, in step 504, the Redirection Driver determineswhether or not the write is being requested to memory in the protectedspace (the write is “unallowed”), and, if so, continues in step 505,else, continues in step 508 to forward the write request to the nextappropriate I/O driver. In step 505, the Redirection Driver determineswhether or not the requested memory address has been previouslyredirected (for example, due to a prior write request), and, if so,continues in steps 507 and 508 as described, else continues in step 506.In step 506, the Redirection Driver allocates an available memoryaddress to be used for redirected space and maps the requested memoryaddress to an address in the redirected space. The Redirection Driverthen continues in step 508 as described above. In an alternateembodiment, in step 508, the Redirection Driver handles the disk accessrequests rather than forwarding them to a native operating system I/Odriver.

[0051]FIG. 6 is an example block diagram of a general purpose computersystem for practicing preferred embodiments of the present invention.The computer system 601 contains a central processing unit (CPU) 602,input/output devices 603, including storage device 613, a display device612, and a computer memory (memory) 604. The Disk Access RedirectionSystem 611, comprising Redirection Driver 605, Available Space Table608, Protected Space Redirection Table 609, and Unprotected Space Table610 preferably resides in memory with the operating system 606 and otherprograms 607. The storage device 613 contains an unprotected space 614,a protected space 615, a redirected space 616, and an available space617. One skilled in the art will recognize that the storage device 613may be implemented in any of various configurations including, forexample, one or more physical or virtual disk drives located on onecomputer or located on multiple computers connected through a network.

[0052] One skilled in the art also will recognize that variousarrangements of this computer system and its components are possible andcontemplated by the methods and systems of the present invention. Forexample, the various tables of the Disk Access Redirection System mayreside in separate memories or span across several memories or benon-contiguous. Well-known techniques for handling such data structuresand memory management can be used. In addition, the Redirection Driver,before being installed into memory, may be remotely located and accessedfor use via a network when desired. Various other modifications to thestorage organization and the location of the other parts of the computersystem are also contemplated. In addition, in the example flow diagramsdescribed, different orderings of the steps and different divisions ofthe steps are likewise contemplated to accomplish the techniques of thepresent invention.

[0053] As previously mentioned, the Redirection Driver 605 may beimplemented to intercept I/O (input/output) requests at various levelsin the storage driver architecture of the operating system 606 dependingupon what level of abstraction of storage is being redirected. Forexample, the Redirection Driver 605 may be implemented to redirect dataaccess at the file level or at the physical sector address level, or atsome other level. Additionally, multiple Redirection Drivers may beused, for example, one Redirection Driver for each storage device type,or for different levels of access.

[0054]FIG. 7 is an example block diagram of a typical layout of aphysical disk storage device in a computer system. As shown on the leftside of FIG. 7, a disk storage device 701 is made up of a series ofsectors 730. Each sector may be identified by (1) a head number (e.g.,720), which defines the disk surface where the sector resides; (2) acylinder number (e.g., 740), which defines the track where the sectorresides; and (3) a sector number (e.g., 730) within the associatedtrack. These identifying attributes may then be used to map a uniquenumber to each physical sector. The right side of FIG. 7 shows the samedisk storage device 701, but using a contiguous sector description 702.For example, the first sector is assigned the number 00, the second isassigned the number 01, and so on. This allows each sector to beaccessed through a simple indexing scheme, 0, 1, 2 . . . (n−1), where nis the total number of sectors on the physical disk. Each sector 702comprises a fixed number of bytes 703. For example, Sector 00 contains 8bytes, labeled Byte 0 -Byte 7.

[0055] In addition, a physical disk may be partitioned into one or morelogical drives. FIG. 8 is an example block diagram of a disk drivepartitioned into logical drives (partitions). The disk drive is showndivided into 3 logical partitions: 802, 803, and 804. Within apartition, the sectors are referred to as logical sectors. For example,partition 802 contains physical sectors 812-818 which are mapped tological sectors 0-6, and partition 803 contains physical sectors 820-823mapped to logical sectors 0-3. Logical sectors are accessed by a simpleindexing scheme 0, 1, 2, . . . (n−1) relative to the partition, where nis the number of logical sectors in the partition. The size in bytes ofa logical sector is not necessarily the same as a physical sector, butmay be an integral number of physical sectors. For example, partition804 contains physical sectors 840-845 mapped to logical sectors 0-2,where each logical sector is equal in size to two physical sectors.Although logical partitions 802, 803, and 804 are shown mapped tocontiguous physical sectors, in some systems, logical partitions may bemapped to non-contiguous physical sectors.

[0056] User or application information and other data are typicallystored in files. A file can be stored on a logical drive in one or morelogical sectors, which may or may not be contiguous. Different operatingsystems use different schemes to keep track of where a file is stored ona logical drive and to keep track of which sectors a file occupies.Often times some sort of “table,” “database,” or other appropriate datastructure, is used to locate the file on the logical drive and to trackthe sectors allocated to the file. In some systems, to reduce the sizeof the database required to describe the files on a disk storage device,the abstraction of a cluster is used. A cluster is an integral number ofsequential sectors. For example, in the Windows 9X operating system, acluster can be up to 64 logical sectors. The way that an operatingsystem organizes files into clusters and the way it keeps track of thisorganization in a “database” is typically referred to as the filesystem. The database used by the file system must also be stored on thedisk storage device. This database can be stored on the logical drive asa sequential set of logical sectors that is fixed in size and location,or it can be stored as a special file where access to it is achievedthrough a smaller fixed set of data.

[0057] In any operating system and file system, user and applicationdata starts out in the form of a file. The operating system maintains adatabase of the clusters that are used to store the file data. Any reador write of a file or portion of a file ends up being a read or write ofone or more physical sectors. Modem operating systems are typicallycoded in such a way that the file system reads and writes to a diskstorage device through a layering of drivers as briefly described above.These drivers are defined such that drivers at the top communicate atthe file level, while drivers at the bottom communicate at the physicalsector, level of the disk storage device. At some point in the layeredinput/output system, a driver can be inserted to intercept all the readsand writes at the level it is inserted, for example, at either thelogical sector level or the physical sector level.

[0058]FIG. 9 is an example block diagram of a layered I/O driverarchitecture of a typical operating system with an inserted RedirectionDriver. The layered I/O driver architecture 901 comprises file leveldrivers 902, logical sector level drivers 903, and physical sector leveldrivers 904. In FIG. 9, the Redirection Driver 920 implements logicalsector redirection, so is shown inserted before the other drivers thathandle logical sectors 903. When a request for file access comes in, afile level driver 902 translates the request into a read or a writerequest of the appropriate logical sectors and forwards the translatedrequest down the driver chain. The Redirection Driver 920, which hasbeen inserted into the driver chain before logical sector drivers 903,receives the translated request and processes the request according tothe present invention. One skilled in the art will recognize that theRedirection Driver 920 can be similarly inserted at other points (or atmultiple points) in the driver chain, depending upon what disk accessabstraction has been implemented in the driver.

[0059] In example embodiments of the Disk Access Redirection System, theAvailable Space Table 608, Protected Space Redirection Table 609, andUnprotected Space Table 610 may be organized at the logical sectorlevel, at the cluster level, at some other level of data abstraction, ora combination of data abstraction levels. When organized at the sectorlevel, the Protected Space Redirection Table 609 tracks all sectors thatcan be redirected, and each entry corresponds to one logical sector. Forexample, if an entry for a particular sector is zero, then noredirection has occurred. In contrast, if an entry is non-zero, thenredirection has occurred, and an indicator of the redirected sector isstored in that table entry. (The actual entry may contain a variety ofdata, such as a logical sector address in Redirected Space, or a pointerto an entry in the AST 608, which is allocated to the Redirected Space.)When organized instead at the cluster level, the Protected SpaceRedirection Table 609 tracks all clusters that can be redirected, andeach entry in the table corresponds to one cluster. For example, if anentry for a particular cluster is zero, then no redirection hasoccurred. In contrast, if an entry is non-zero, then redirection hasoccurred, and an indicator of the number of the redirected cluster (orother reference) is stored in the table entry.

[0060] The basis of redirection may be clusters, sectors, or any otherlevel of data abstraction, and is based on the organization of the DARS.In some embodiments, the use of clusters will reduce the memory size ofthe DARS. One embodiment organizes the DARS tables as groups of clustersor sectors instead of as individual clusters or sectors. When usinggroups of clusters, a table entry consists of a cluster number and anextent (i. e., a number of sequential clusters). Because operatingsystems attempt to keep reads and writes of related data in sequentialclusters, the first write to a cluster will usually be a write to asequence of clusters. For example, if a write operation calls for datato be stored in clusters 5, 6, 7, 8, 9, and 10, this information may bestored in a table where each element in the table consists of 3 piecesof information: (1) the original starting cluster number, (2) the numberof sequential clusters, and (3) the number of the first redirectedcluster. In this example, storing the redirection information in theProtected Space Redirection Table 609 requires only three numbers,rather than the six required when redirection information is referred toas individual clusters. As the write blocks get larger, the savings inmemory become significant. No matter how large the write becomes, onlythree numbers are required to store all the redirection information. Theother DARS tables can be similarly implemented in terms of logicalsectors, clusters, or a combination of both.

[0061]FIG. 10 is an example block diagram illustrating how the DiskAccess Redirection System tables are used by the Redirection Driver toredirect disk accesses. As described earlier, disk storage comprisesprotected space 1001, which cannot be altered; unprotected space 1004,which can be altered; redirected space 1002, which stores attemptedalterations to the protected space 1001; and available space 1003, whichis currently unused space. The tables of the DARS (tables 1020, 1030,and 1040) are used to manage the mappings between the protected space1001, redirected space 1002, available space 1003, and unprotected space1004. The Available Space Table 1030 (“AST”) maps the available space1003 (shown hatched); the Protected Space Redirection Table 1020(“PSRT”) maps the protected space 1001 to the redirected space 1002; andthe Unprotected Space Table 1040 (“UST”) maps/records the unprotectedspace 1004 (shown hatched).

[0062] In one embodiment, the AST 1030 stores a series of records, eachrecord indicating a portion of memory that is available for redirectionuse. The AST may be organized as a simple list of available clusternumbers, or it may be organized as a table of items, each of whichcontain a starting cluster number and an extent (i.e., number ofsequential empty clusters). In the embodiment shown, each AST recordcomprises an available address 1031 that indicates the beginning of anavailable portion of memory and an extent 1032 that indicates the lengthof the available portion of memory (e.g., the first shown recordindicates two clusters of storage with addresses A01 through A02). Asempty clusters are used for redirection, they are removed from the ASTor marked as not available. A write operation of “n” sequential clustersgenerates a request for “n” sequential empty clusters for redirection.The AST services this request. If it is not possible to find “n”sequential clusters in the AST, the request is preferably broken up intosmaller units.

[0063] The UST 1040 is similar to the AST 1030, storing a series ofrecords, each comprising a beginning address 1041 and an extent 1042(e.g., the first shown record indicates two clusters of storage withaddresses U01 through U02). The records in the UST indicate portions ofunprotected space 1004, which can be altered. In an alternativeembodiment, the unprotected space 1004 is mapped via the UST 1040 toredirected space 1002 and saved upon computer shut down. This embodimenthas the disadvantage of potentially losing data written to theunprotected space 1004 when the user simply powers down the machineusing the hardware power switch, without gracefully shutting down theoperating system and allowing the redirected space 1002 to be saved.

[0064] The PSRT 1020 maps portions of protected space 1001 to redirectedspace 1002. Each record in the PSRT 1020 comprises a protected address1021 that indicates the beginning of a protected portion of storage, anextent 1022 that indicates the length of the protected portion ofstorage, and a redirected address 1023 that indicates the beginning of aportion of memory to which all reads and writes to the indicatedprotected address of that record will be redirected. For example, in thefirst record, addresses P01 through P03 of storage in the protectedspace 1001 (as shown by an extent of 3 clusters) is currently redirectedto addresses R02 through R04 in the redirected space 1002. Althoughdescribed with respect to clusters, one skilled in the art willrecognize that a similar organization and description can be used toimplement the tables and the space layout using other abstractions, suchas at the file level or sector level.

[0065] In an example embodiment shown, the AST, UST, and PSRT (e.g., AST1030, UST 1040, and PSRT 1020 in FIG. 10) are stored in a volatilememory of the computer system. In alternate embodiments, these tablesmay be written to persistent storage and deleted prior to the computersystem being shut down. In another alternate embodiment, the determinedsystem protection level may indicate whether the tables are stored involatile memory or persistent storage. For example, one level ofprotection may be defined which maintains the AST, PSRT, and UST inpersistent storage across several system reboots. This may be beneficialon a system that is being used to test new software. When testing iscomplete, or at various stages during the testing process, the systemprotection level could be modified to a level that causes the DARS tostore the AST, PSRT, and UST in volatile memory or to delete them frompersistent memory on shutdown. As one skilled in the art will recognize,various protection levels may be defined, each requiring possiblevariations in implementation of the DARS system tables. These variationsmay include the specific data structures of the tables in addition tothe type of memory used to store the tables. Well-known techniques forvarying the data structures and for indicating mappings can be used. Allof these variations are contemplated and are intended to fall within thescope of the invention.

[0066] In some operating systems, certain portions of protected memoryneed to be redirected prior to allowing a user access to the system. Inparticular, in operating systems whose file systems store data onpersistent storage, it is necessary to redirect the file system dataitself to properly protect these systems. For example, in the MicrosoftDOS and Windows™ operating systems, there are a number of different filesystems, which store data on a system hard drive. These systems use aFile Allocation Table (FAT) to track and allocate clusters to files. Inparticular, FAT file systems use a table of “next” cluster numbers. Towork correctly in these environments, the DARS is implemented to handleboth the FAT 16 system and the FAT 32 system. In FAT 16, the FAT is atable of 16 bit cluster numbers. In FAT 32, the table consists of 32 bitcluster numbers.

[0067]FIG. 11 is an example block diagram of a disk drive with a FileAllocation Table arranged according to the FAT 16 architecture. In FIG.11, a logical drive 1101 is organized as: (1) Boot record sector 1102,(2) FAT sector 1103, (3) Root directory sector 1104, and (4) Dataclusters 1105. The first three sections 1102, 1103, and 1104 are fixedin size. The data section starts at a fixed point on the drive and isviewed by the operating system as a sequence of clusters.

[0068]FIG. 12 is an example block diagram of a disk drive with a FileAllocation Table arranged according to the FAT 32 architecture. Alogical drive 1201 is organized as: (1) Boot record sector 1202, (2) FATsector 1203, and (3) Data clusters 1204. The first two sections 1202 and1203 are fixed in size. The data section starts at a fixed location andis viewed by the operating system as a sequence of clusters.

[0069]FIG. 13 is an example block diagram of a disk drive arrangedaccording to the New Technology File System (“NTFS”) architecture. Theentire logical drive is organized using cluster segmentation, and alldata is organized as files within the cluster framework. For example,cluster 1301 contains the Boot Sector.

[0070] The DARS is implemented to redirect all portions of the diskdrive, including those used by the operating system, as shown in FIGS.11, 12, and 13. This feature allows a random hardware “power off” toleave the system secure. One method of implementing the DARS in FAT 16and FAT 32 is to define two sets of the AST and PSRT redirection tables,which are organized to different data size abstractions. According tothis embodiment, the redirection tables are sector-based for that partof the disk drive that precedes the data section and cluster-based forthe data part (the remainder) of the disk drive. Because all availablespace on a drive will be in the data section of the drive, sectors fromthe pre-data part of the drive are redirected to the cluster organizedpart of the drive. Thus, several computations are necessary in thisembodiment to translate sectors to clusters and vice versa.

[0071] To determine in which cluster a logical sector lies, the DARS inthis example embodiment uses the following formula:

Cluster=((LSector−DO)/SPC)+2;  (1)

[0072] where,

[0073] DO=logical sector number where the data section starts

[0074] SPC=# sectors per cluster.

[0075] The +2 results from a specific nuance in that the FAT 16/32architecture labels the first cluster in the “data” section as Cluster2.

[0076] To calculate the first sector of a cluster, the DARS uses theformula:

LSector=((Cluster−2)*SPC)+DO.  (2)

[0077] To calculate the offset within a cluster for a given logicalsector, the DARS uses the formula:

Offset=(LSector−DO) % SPC.  (3)

[0078] Where the “%” is a modulus operator that gives the integerremainder from a division.

[0079] Using the Microsoft New Technology File System “NTFS”, theoperating system views the entire disk drive as a sequence of clusters,and all space on the drive is allocated in clusters. (See FIG. 13.)Conversion from clusters to sectors or sectors to clusters is requiredbecause the file system usually handles cluster numbers, but reads andwrites are usually handled as sectors. For example, queries foravailable space will usually be obtained in terms of clusters.Therefore, the following example formulas can be used to translatebetween logical sectors and clusters:

LSector=Cluster * SPC  (4)

Cluster=LSector/SPC  (5)

[0080] For purposes of managing the redirection information generically,the DARS can be implemented using a concept of virtual clusters. In thisimplementation, the DARS only deals with redirection at the clusterlevel and is designed to be independent of the file system and theoperating system.

[0081] Real cluster numbers are translated to virtual clusters using theformula:

VCluster=RCluster+Offset;  (6)

[0082] where,

[0083] Offset=(CO/SPC)+A;

[0084] CO=the logical sector number of Real Cluster zero.

[0085] SPC=the number of sectors per cluster

[0086] A=(CO % SPC)?1: 0; Where the “?” is an operator, indicating thatif the expression (CO % SPC) evaluates to “true” (any non-zero value),then A=1. If the expression (CO % SPC) evaluates to “false” (zero), thenA=0.

[0087] The virtual cluster number that contains a logical sector isgiven by:

VCluster=(LSector−SO)/SPC  (7)

[0088] where,

[0089] SO=(CO % SPC) is the offset of sector zero within Virtual clusterzero

[0090] The first sector of a VCluster is:

LSector=(VCluster*SPC)+SO;  (8)

[0091] To calculate the offset within a virtual cluster for a givenlogical sector, the DARS uses the formula:

Offset=(LSector−SO) % SPC  (9)

[0092] In an embodiment that uses virtual clusters, the virtual clustersdon't have to be redirected to physical clusters on the same drive.Clusters may be redirected to any place where storage is available, forexample, on other drives, on network drives etc. The virtual clusterconcept only requires an object of “available space” to which clustersmay be redirected, and thus has the advantage of flexibility for avariety of operating systems. Virtual clusters may also be implementedto include virtual sectors or any other “virtual” data abstractionlevel. In systems that support object-oriented programming, the virtualcluster can be implemented as a class, whose implementation is specifiedby a particular instance of the Redirection Driver.

[0093] In some embodiments, a protection level is supported that allowsthe specification of some unprotected space. (For example, unprotectedspace 1004 in FIG. 10.) Unprotected space can be implemented by allowingsome set of sectors to be read and written into their originallocations. Storage that is designated as unprotected is persistentthrough a reboot. By making the unprotected space appear to theoperating system as a drive (which is designated to not be redirected),files can be stored in this space that will be persistent through areboot. Specifically, because the Redirection Driver can be implementedto intercept reads and writes at the file level, files thus can beredirected into unprotected space—a special drive—instead of redirectedspace. The information in these files will then be persistent through areboot. Redirection at the file level may be implemented such that thefile appears to the user as if it is still in its original location.

[0094] In an alternative embodiment, an option is presented to a user tosave the modifications attempted to protected space. For example, anoption can be presented upon computer system shut down to saveredirected data in this fashion. The DARS tables contain the informationnecessary to identify all modifications to the protected space. Thus, bytransferring the information to the appropriate file allocation tables,the DARS can make the changes that have been made in the redirectedspace permanent in the protected space. For example, a user may wish toprotect the data on a computer system while running a new softwareapplication in order to prevent unexpected data modifications. Afterrunning the software application and verifying that no unwantedmodifications were made, the changes that were made in the redirectedspace can be made permanent in the protected space. If unexpected datamodifications were made, the user could simply re-boot the computersystem, restoring the original data.

[0095] In an example embodiment of the DARS, implemented on a computersystem running the Microsoft Windows 9X operating system, theRedirection Driver is implemented with the standard driver entry pointsthat allow the operating system to communicate with any driver. Theoperating system supports the implementation of a Virtual Device Driver(a VxD), which can be inserted into the driver chain, so that thestandard entry points of the driver are invoked by the operating systemwhen the associated event is triggered.

[0096] FIGS. 14-18 are example flow diagrams describing the stepsperformed by the DARS Redirection Driver at each of five standard driverentry points. One skilled in the art will recognize that a RedirectionDriver may be implemented with additional entry points or other entrypoints, and that the five entry points described with relation to FIGS.14-18 are intended only to be an example of a preferred embodiment, andare not intended to limit the scope of the invention.

[0097]FIG. 14 is an example flow diagram of the steps performed by theDisk Access Redirection System when the computer system boots up. Instep 1401, the computer system or a portion of the DARS determines theprotection level for the computer system, as described with reference toFIG. 4. In step 1402, the DARS examines the determined protection level,evaluating whether or not any protection is to be implemented for thecomputer system. If no protection is to be performed for the computersystem, the Redirection Driver is not registered (not inserted into thedriver chain) and will not intercept any disk access requests. If fullor partial protection is designated, then the DARS continues in step1405, to create an Available Space Table to map all of the availablespace for the appropriate disk drives. In step 1406, the DARS creates anUnprotected Space Table in embodiments that support partial protection.In step 1407, the DARS creates a Protected Space Redirection Table. Instep 1408, the DARS maps the available storage space in the AvailableSpace Table to initialize the AST. In step 1409, the DARS mapsunprotected space in the Unprotected Space Table to initialize the UST.For each storage device that is part of the computer system, steps 1408and 1409 are performed. In one embodiment, a single set of DARS tablesis used. In an alternative embodiment, a separate set of DARS tables isprovided for each storage device in the system. Available space may bedetermined by any of a number of methods, for example, by querying theappropriate level device driver, by reading the FAT tables directly, byconsulting a file containing addresses of such areas, accessing anaccess control list maintained by the operating system, or querying theuser. The addresses that correspond to the unprotected space andprotected space are determined from the input received after determiningthe desired protection level (step 1401). In step 1410, the systemregisters the Redirection Driver with the operating system as requiredby that system. For example, in systems running a Windows 9x operatingsystem, any driver stored in the appropriate directory is loaded and putin the correct location to intercept access requests when the systemboots. In systems running other operating systems, a differentregistration process may be required.

[0098] In an alternate embodiment of the invention, a user may specify acomputer system protection level that allows modifications to bemaintained across several system reboots. In step 1403, if thedetermined protection level indicates that the Available Space Table,Protected Space Redirection Table, and, optionally, the UnprotectedSpace Table are to be retrieved from a previous session, then the DARSproceeds to step 1404. In step 1404, the DARS loads the existing tables,preferably from persistent memory into volatile memory, and thenproceeds to step 1410 where the Redirection Driver is registered tointercept disk access requests, as described above.

[0099]FIG. 15 is an example flow diagram of the steps performed by theDisk Access Redirection System when a new device is mounted by thecomputer system. In step 1501, the DARS determines whether or not thenewly mounted device is a storage device, and, if not, it terminates,else it continues in step 1502. Steps 1502 and 1503 are similar to steps1408 and 1409, respectively, described above. In step 1502, the DARSmaps the available space in the Available Space Table. In step 1503, theDARS maps any designated unprotected space in the Unprotected SpaceTable. In one embodiment, a user interface may need to be presented toquery the user as to whether it is desired to protect this new device(for example, when partial protection has been indicated). In step 1504,when the operating system so requires, the Redirection Driver isregistered to intercept read and write requests to the new storagedevice.

[0100]FIG. 16 is an example flow diagram of the steps performed by theRedirection Driver when a read request is intercepted. In step 1601, thedriver determines whether the requested address is in the UST,indicating unprotected space that may be freely written to and readfrom. If so, then the driver proceeds to step 1604 to read from therequested address, else, it proceeds to step 1602. In step 1602, thedriver determines whether or not the requested address is mapped in thePSRT, indicating that the protected space already has been redirectedand the redirected address needs to be read from instead of the originaladdress. If the requested address has been redirected, then the drivercontinues in step 1603, else, it continues in step 1604. In step 1603,the driver sets the address to the redirected address already mapped inthe PSRT. In step 1604, the system forwards the read request, witheither the original or redirected address, to the next I/O driver in thedriver chain to perform the read.

[0101]FIG. 17 is an example flow diagram of the steps performed by theRedirection Driver when a write request is intercepted. In step 1701,the driver determines whether or not the requested address is in theUST, indicating unprotected space that may be freely written to. If so,then the driver continues in step 1707 to write to the requestedaddress, else it continues in step 1702. In step 1702, the driverdetermines whether or not the requested address is mapped in the PSRT,indicating that the protected space already has been redirected. If therequested address has not yet been redirected, then the driver continuesin step 1703, else it continues in step 1706 to retrieve the redirectedaddress. In step 1703, the driver identifies and allocates availablespace from the AST as required to satisfy the request. The originalwrite request is progressively broken up into smaller requests, if alarge enough space is unavailable to satisfy the request. In step 1704,the driver writes a new record to the PSRT, mapping the requestedprotected address to the available address allocated from the AST instep 1703. In step 1705, the driver removes the allocated space from theAST, because, once the available space is used as redirected space, itis no longer available. In step 1706, the driver sets the addressrequested in the disk access request to the redirected address as mappedin the PSRT. In step 1707, the driver forwards the write request withthe original unprotected or redirected address to a lower level diskdriver to perform the write.

[0102] As described above, in an alternate embodiment of the DARS,protection levels are implemented that allow modifications to theredirected space to remain persistent across one or more system reboots.In one such embodiment, the standard driver entry point for systemshutdown is implemented in the Redirection Driver. FIG. 18 is an exampleflow diagram of the steps performed by the Redirection Driver when asystem shutdown request is intercepted. In step 1801, the driverdetermines whether or not the protection level in effect for thecomputer system indicates saving the DARS tables. If so, then the drivercontinues in step 1802, else, the on_shutdown routine terminates. Instep 1802, the driver writes the Available Space Table to persistentstorage. In step 1803, the driver writes the Unprotected Space Table topersistent storage. In step 1804, the driver writes the Protected SpaceRedirection Table to persistent storage. Persistent storage for thesepurposes may also be a logical drive in the file system that has beendesignated as unprotected storage, as described above. One skilled inthe art will recognize that other steps may be performed on computersystem shutdown in this routine, for example, to store unprotected areasif these had been redirected to redirected space instead of written todirectly by the appropriate driver.

[0103] Although specific embodiments of, and examples for, the presentinvention are described herein for illustrative purposes, it is notintended that the invention be limited to these embodiments. Equivalentmethods, structures, processes, steps, and other modifications withinthe spirit of the invention fall within the scope of the invention. Forexample, the teachings provided herein of the present invention can beapplied to any systems with associated persistent data storage, forexample, a personal computer system with a hard disk drive, or anetworked server system with remote data repositories. In addition, theteachings may be applied to other types of systems where driver-likecode may be implemented to redirect the flow of data through the system.These and other changes may be made to the invention in light of theabove-detailed description. Accordingly, the invention is not limited bythe disclosure, but instead, the scope of the present invention is to bedetermined by the following claims.

1. A method in a computer system for securing data stored on a storagedevice, the computer system having a redirection driver, availablestorage, and redirected storage, comprising: receiving a request toaccess a portion of data on the storage device, the request referring toan original location on the storage device; under control of theredirection driver, intercepting the request to access the data;determining whether the request refers to an original location that haspreviously been redirected to redirected storage; when the requestrefers to an original location that has previously been redirected toredirected storage, using a location in redirected storage as a currentredirected location, otherwise allocating available storage to a newlocation in redirected storage and using the new location as the currentredirected location; and redirecting the access request to refer to thecurrent redirected location, such that the request transparentlyaccesses the current redirected location instead of the originallocation; and restarting the computer system from a powered-down state,wherein the data stored in the original location on the storage deviceremains unaltered, without any restorative copying of data.
 2. Acomputer system for securing data stored on a storage device,comprising: data access request that refers to an original location onthe storage device; available storage; and redirection driver, installedin the computer system during power-up initialization, that,automatically intercepts the data access request; and redirects theaccess request to access a redirected location in the available storage,such that a requested modification at the original location is notperformed and is instead performed to the redirected location, and suchthat, when the computer system is restored from a powered-down state,the data in the original location on the storage device remainsunaltered without any restorative copying.
 3. A method in a computersystem for protecting data stored in a portion of a storage devicehaving a designated protected space, the computer system having aredirected space, comprising: intercepting a request from requestingcode to access a location in the protected space of the storage device;and determining a location in the redirected space that is associatedwith the location in the protected space; and redirecting theintercepted request to access the determined location in the redirectedspace instead of the location in the protected space, in a manner thatis transparent to the requesting code, so that the data stored in thelocation in the protected space remains unaltered.
 4. The method ofclaim 3 wherein a redirection driver performs the intercepting therequest, determining the location in the redirected space, andredirecting the intercepted request.
 5. The method of claim 4 whereinthe driver is inserted into a driver hierarchy that is controlled by anoperating system of the computer system.
 6. The method of claim 3wherein the designated protected space of the storage device comprisesthe entire storage device.
 7. The method of claim 3 wherein thedetermined location in the redirected space resides in the storagedevice.
 8. The method of claim 3 wherein the determined location in theredirected space resides in an other storage device.
 9. The method ofclaim 3 wherein the request to access a location in the protected spaceis a request to read from the protected space.
 10. The method of claim 9wherein the redirecting the intercepted read request results inautomatically reading data from the determined location in theredirected space instead of from the location in the protected space.11. The method of claim 3 wherein the request to access a location inthe protected space is a request to write to the protected space. 12.The method of claim 11 wherein the redirecting the intercepted writerequest results in automatically writing data to the determined locationin the redirected space instead of to the location in the protectedspace.
 13. The method of claim 11 wherein the redirecting theintercepted write request results in automatically allocating availablespace to use as new redirected space and writing data to a location inthe new redirected space.
 14. The method of claim 3 wherein thedetermining the location in the redirected space that is associated withthe location in the protected space further comprises first allocatingavailable space to be used as the redirected space.
 15. The method ofclaim 3 wherein the storage device is one of a hard disk drive, aread/write CD ROM drive, a floppy disk drive, and a semi-persistentstorage device.
 16. The method of claim 3 wherein the location in theprotected space refers to at least one of a sector, a group of sectors,a cluster, and a group of clusters.
 17. The method of claim 3 whereinthe location in the redirected space refers to at least one of a sector,a group of sectors, a cluster, a group of clusters, a virtual cluster,and a group of virtual clusters.
 18. The method of claim 17 wherein thesector is a logical sector.
 19. The method of claim 17 wherein thesector is a physical sector.
 20. The method of claim 17 wherein thelocation in the protected space refers to a sector.
 21. The method ofclaim 17 wherein the location in the protected space refers to anabstraction of storage that is larger than a sector.
 22. The method ofclaim 3 wherein the redirected space is organized according to acombination of different storage units.
 23. The method of claim 22wherein a portion of the redirected space is organized as one of virtualclusters, clusters, files, and sectors, and an other portion isorganized according to a different storage unit.
 24. The method of claim3, further comprising: designating a portion of the storage device asunprotected space; intercepting a request to access a location in theunprotected space of the storage device; performing the request withoutredirection to access the unprotected space.
 25. The method of claim 3,further comprising: receiving a request to shutdown the computer system;and upon receiving the request to shutdown the computer system,disregarding the data in the redirected space, so that when the computersystem is rebooted, the data in the protected space of the storagedevice appears unaltered.
 26. The method of claim 25 whereindisregarding the data in the redirected space comprises at least one ofdeleting the data from the storage in the redirected space,disassociating the redirected space from the protected space, andignoring the data in the redirected space.
 27. The method of claim 3,further comprising: receiving a request to shutdown the computer system;and upon receiving the request to shutdown the computer system, savingthe data stored i n the redirected space.
 28. The method of claim 27wherein saving the data stored in the redirected space comprises copyingthe data from the redirected space to associated locations in theprotected space, thereby making permanent the data that was redirectedto the redirected space.
 29. The method of claim 27 wherein saving thedata stored in the redirected space comprises saving the associationbetween the protected space and the redirected space without copying thedata from the redirected space.
 30. The method of claim 3, furthercomprising using redirection tables to associate locations in theprotected space to locations in the redirected space.
 31. The method ofclaim 30 wherein the redirection tables comprise at least one of aprotected space redirection table, an available space table, and anunprotected space table.
 32. A computer-readable memory mediumcontaining instructions that control a computer processor to protectdata stored in a portion of a storage device having a designatedprotected space, the computer system having a redirected space, by:intercepting a request from requesting code to access a location in theprotected space of the storage device; and determining a location in theredirected space that is associated with the location in the protectedspace; and redirecting the intercepted request to access the determinedlocation in the redirected space instead of the location in theprotected space, in a manner that is transparent to the requesting code,so that the data stored in the location in the protected space remainsunaltered.
 33. The computer-readable memory medium of claim 32 whereinthe designated protected space of the storage device comprises theentire storage device.
 34. The computer-readable memory medium of claim32 wherein the determined location in the redirected space resides inthe storage device.
 35. The computer-readable memory medium of claim 32wherein the determined location in the redirected space resides in another storage device.
 36. The computer-readable memory medium of claim32 wherein the request to access a location in the protected space is arequest to read from the protected space that results in automaticallyreading data from the determined location in the redirected spaceinstead of from the location in the protected space.
 37. Thecomputer-readable memory medium of claim 32 wherein the request toaccess a location in the protected space is a request to write to theprotected space that results in automatically writing data to thedetermined location in the redirected space instead of to the locationin the protected space.
 38. The computer-readable memory medium of claim37 wherein the redirecting the intercepted write request results inautomatically allocating available space to use as new redirected spaceand writing data to a location in the new redirected space.
 39. Thecomputer-readable memory medium of claim 32 wherein the determining thelocation in the redirected space that is associated with the location inthe protected space further comprises first allocating available spaceto be used as the redirected space.
 40. The computer-readable memorymedium of claim 32 wherein the storage device comprises one of a harddisk drive, a read/write CD ROM drive, a floppy disk drive, and asemi-persistent storage device.
 41. The computer-readable memory mediumof claim 32 wherein the location in the protected space refers to atleast one of a sector, a group of sectors, a cluster, and a group ofclusters.
 42. The computer-readable memory medium of claim 32 whereinthe location in the redirected space refers to at least one of a sector,a group of sectors, a cluster, a group of clusters, a virtual cluster,and a group of virtual clusters.
 43. The computer-readable memory mediumof claim 42 wherein the location in the protected space refers to asector.
 44. The computer-readable memory medium of claim 42 wherein thelocation in the protected space refers to an abstraction of storage thatis larger than a sector.
 45. The computer-readable memory medium ofclaim 32 wherein the redirected space is organized according to acombination of different storage units.
 46. The computer-readable memorymedium of claim 45 wherein a portion of the redirected space isorganized as at least one of virtual clusters, clusters, files, andsectors, and an other portion is organized according to a differentstorage unit.
 47. The computer-readable memory medium of claim 32,further comprising: designating a portion of the storage device asunprotected space; intercepting a request to access a location in theunprotected space of the storage device; performing the request withoutredirection to access the unprotected space.
 48. The computer-readablememory medium of claim 32, further comprising: receiving a request toshutdown the computer system; and upon receiving the request to shutdownthe computer system, disregarding the data in the redirected space, sothat when the computer system is rebooted, the data in the protectedspace of the storage device appears unaltered.
 49. The computer-readablememory medium of claim 48 wherein disregarding the data in theredirected space comprises at least one of deleting the data from thestorage in the redirected space, disassociating the redirected spacefrom the protected space, and ignoring the data in the redirected space.50. The computer-readable memory medium of claim 32, further comprising:receiving a request to shutdown the computer system; and upon receivingthe request to shutdown the computer system, saving the data stored inthe redirected space.
 51. The computer-readable memory medium of claim50 wherein saving the data stored in the redirected space comprisescopying the data from the redirected space to associated locations inthe protected space, thereby making permanent the data that wasredirected to the redirected space.
 52. The computer-readable memorymedium of claim 50 wherein saving the data stored in the redirectedspace comprises saving the association between the protected space andthe redirected space without copying the data from the redirected space.53. The computer-readable memory medium of claim 32, further comprisingusing redirection tables to associate locations in the protected spaceto locations in the redirected space.
 54. A computer system forprotecting data stored in a portion of a storage device, comprising:protected space designated on the storage device for storing theprotected data; redirected storage space in the computer systemdesignated for storing attempted modifications of the protected data;redirection driver, installed in the computer system, that interceptsrequests to access locations in the protected space; redirectsintercepted requests so that the requests result in accessing locationsin the redirected storage space instead of locations in the protectedspace, thereby leaving the protected space unaltered.
 55. The computersystem of claim 54 wherein the protected space remains unaltered througha reboot of the computer system, without any restorative copying of theprotected data.
 56. The computer system of claim 54, further comprisinga redirection table that maps locations in the protected space tolocations in the redirected storage space, and is used by theredirection driver to determine a location in the redirected storagespace to use for redirecting an intercepted request.
 57. The computersystem of claim 56 wherein the contents of the redirection table aresaved by the computer system when the computer system is powered down.58. The computer system of claim 54 wherein the protected spacecomprises the entire storage device and the redirected storage space isnot located on the storage device.
 59. The computer system of claim 54wherein the redirected storage space is located on the storage device.60. The computer system of claim 54 wherein an intercepted andredirected access request is a request to read from a location in theprotected space.
 61. The computer system of claim 54 wherein anintercepted and redirected access request is a request to write to alocation in the protected space that is redirected to modify a locationin the redirected space.
 62. The computer system of claim 54 wherein thestorage device is one of a hard disk drive, a read/write CD ROM drive, afloppy disk drive, and a semi-persistent storage device.
 63. Thecomputer system of claim 54 wherein the redirection driver refers to theredirected storage space in at least one of files, clusters, virtualclusters, and sectors of data.
 64. The computer system of claim 54wherein the redirection driver refers to the redirected storage spaceusing multiple data addressing abstractions.
 65. The computer system ofclaim 54 wherein the redirection driver implements a virtual clusterdata abstraction.
 66. The computer system of claim 54 wherein theredirection driver is installed by inserting the redirection driver intoa chain of drivers so that it is automatically invoked by the computersystem.
 67. The computer system of claim 54, further comprising:unprotected space designated on the storage device for allowingmodifications to a portion of the storage device.
 68. The computersystem of claim 67 wherein the redirection driver disregards accessrequests to the unprotected space.
 69. The computer system of claim 67wherein the redirection driver intercepts and redirects access requeststo access locations in the unprotected space so that access to theunprotected data are also redirected.
 70. The computer system of claim67, further comprising an unprotected space table for tracking thelocations of the storage device that are designated as unprotectedspace.
 71. The computer system of claim 54 wherein the contents of theredirected storage space are saved by the computer system when thecomputer system is powered down.
 72. A method for securing data in astorage device of a computer system having an operating system and adevice driver, comprising: installing a redirection driver before thedevice driver in a calling sequence of the operating system, so that theoperating system invokes the redirection driver in response to receivinga request to access the storage device; under control of the redirectiondriver, intercepting a request to access a location on the storagedevice; and redirecting the request to access a location in unusedstorage, such that the data in the location on the storage deviceremains unaltered; restarting the computer system from a powered-downstate, wherein the data stored in the location on the storage deviceremains unaltered, without requiring restorative copying of data. 73.The method of claim 72 wherein the redirection driver cannot beuninstalled by a user without special access privileges, thereby forcingthe data to be securely maintained.
 74. The method of claim 72, thedevice driver comprising one of a plurality of device drivers that arearranged in a layered fashion, and wherein the redirection driver isinstalled between two of these device drivers.
 75. The method of claim74 wherein each driver layer comprises a driver that communicates withan associated device according to different data abstraction; andwherein the redirection driver can be configured to be installed atdifferent layers depending upon the data abstraction implemented by theredirection driver.
 76. The method of claim 72 wherein the redirectiondriver handles blocks of data defined as at least one of virtualclusters, clusters, sectors, and files.
 77. The method of claim 72wherein the redirection driver handles multiple different dataabstractions.
 78. The method of claim 72 wherein the computer systemcomprises redirection tables that are maintained by the redirectiondriver to manage associations between data that has been redirected byredirecting the access request to the location in unused storage andunaltered data stored on the storage device.
 79. A storage accessredirection system for securing data in designated locations on astorage device in a computer system comprising: available space table;protected space redirection table; and redirection driver, installed inthe computer system, that automatically intercepts a request to accessone of the designated locations; uses the protected space redirectiontable to determine whether the designated location has been previouslyredirected; when it is determined that the designated location has beenpreviously redirected, determines an associated redirected location; andredirects the access request to the associated redirected location sothat data in the designated location remains unaltered.
 80. The storageaccess redirection system of claim 79, further comprising: unprotectedspace table that is used to designate unprotected locations on thestorage device that can be altered, wherein the redirection driverintercepts requests to access locations referred to by the unprotectedspace table and disregards them so that data in the unprotectedlocations on the storage device is modified according to the accessrequests.
 81. The storage access redirection system of claim 79 whereinthe request to access one of the designated locations is a read request.82. The storage access redirection system of claim 79 wherein therequest to access one of the designated locations is a write request.83. The storage access redirection system of claim 82 wherein theredirection driver, when it is determined that the designated locationhas not been previously redirected, uses the available space table toallocate a new redirected location, uses the protected space redirectiontable to map the new redirected location to the designated location, anddetermines the new redirected location as the associated redirectedlocation.